GPL-3 Deltas Assessment 1 Contents
2 Impact 3
3 Delta causes outdated package to be shipped ...... 3
4 Delta causes alternative package dependency to be used ...... 3
5 Delta causes functionality to be disabled ...... 4
6 Package summary 4
7 Required Action 5
8 Delta causes outdated package to be shipped ...... 6
9 Package readline5 ...... 6
10 Package tar-gplv2 ...... 7
11 Package cpio-gplv2 ...... 8
12 Package diffutils-gplv2 ...... 9
13 Package findutils-gplv2 ...... 10
14 Package grep-gplv2 ...... 11
15 Package gzip-gplv2 ...... 12
16 Package sed-gplv2 ...... 13
17 Initial tests 13
18 General conclusions 13
19 Apertis the distribution is derived from Debian, from which it takes its philos-
20 ophy, tools, workflows and packages. This robust, friendly and mature distri-
21 bution provides a solid base on which to build an offering to suite the needs of
22 very demanding markets such as the automotive industry.
23 One big difference between Apertis and Debian is that Apertis avoids certain 1 24 licenses , in order to allow its target market to avoid legal issues. Several licenses
25 are considered unsuitable in parts of Apertis, GPL-3 being the most important
26 one. As a consequence of this, Apertis adopts a number of strategies to ensure
27 packages meant to be installed on target devices comply with these license
28 restrictions.
29 Several documents already cover specific cases or scenarios, which present the
30 biggest licensing challenges: 2 31 • GPL-3-free replacements of coreutils 3 32 • License-compliant TLS stack for Apertis targets 4 33 • GPL-3-free replacements of GnuPG
34 Besides the topics covered by the above documents, Apertis implements different
35 strategies to avoid such problems. In the cases where package license changed
1https://www.apertis.org/policies/license-expectations/ 2https://www.apertis.org/concepts/coreutils-replacement/ 3https://www.apertis.org/concepts/tls-stack/ 4https://www.apertis.org/concepts/gnupg-replacement/
2 36 from GPL-2 to GPL-3, Apertis continues shipping the last license friendly ver-
37 sion of the package, appending the suffix -gplv2 if it is needed to differentiate
38 from the latest version
39 • readline5
40 • cpio-gplv2
41 • diffutils-gplv2
42 • findutils-gplv2
43 • grep-gplv2
44 • gzip-gplv2
45 • sed-gplv2
46 • tar-gplv2
47 In other cases, where the license issues was not in the package itself, but in
48 one of its dependencies, Apertis tries to avoid the problem by either using a
49 different equivalent dependency or using the last suitably licensed version ofit.
50 In those cases where the functionality provided by the dependency is not really
51 required, Apertis opts for removing or disabling such functionality and in that
52 way dropping the dependency.
53 Impact
54 As discussed in the introduction, depending on the situation the impact of a
55 delta is different. Based on the type of delta we can enumerate the following
56 scenarios:
57 • Delta causes outdated package to be shipped
58 • Delta causes alternative package dependency to be used when compared
59 to Debian
60 • Delta causes functionality to be disabled
61 Additionally the following aspects should be taken into account:
62 • Possibility of delta increment across time
63 • Number of packages in the dependency change
64 Delta causes outdated package to be shipped
65 Since Apertis derives from Debian, generally it ships the same version, but as
66 mentioned, in some cases it keeps shipping a specific version of a package for
67 the target component, while keeping the latest in the development suite.
68 In general the impact of this kind of delta is high, since Apertis carries an old
69 version of a package without updates and security bugfixes. For this reason
70 deltas under this category should be examined closely, specially taking into
71 account the aspects previously mentioned.
72 Below is a list of packages that are frozen at a specific version previous to the
73 license change and the packages that depend on them in the target component.
3 74 • readline5 (version 5.2)
75 – bluez
76 – connman
77 • cpio-gplv2 (version 2.8)
78 – initramfs-tools-core
79 • diffutils-gplv2 (version 2.8.1)
80 • findutils-gplv2 (version 4.2.31)
81 • grep-gplv2 (version 2.5.1a)
82 • gzip-gplv2 (version 1.3.12)
83 • sed-gplv2 (version 4.1.2)
84 • tar-gplv2 (version 1.17)
85 – dpkg
86 From the list above it clear that readline5 cpio-gplv2 and tar-gplv2 are the
87 package with higher impact in the system as they are used by other packages.
88 Delta causes alternative package dependency to be used
89 When it is possible to find an alternative to a package without license issues
90 which provides similar functionality and it is present in Debian, the approach
91 used is to switch to it, causing a delta. However, since the functionality is kept,
92 the impact of the delta is considered lower than previous cases.
93 Delta causes functionality to be disabled
94 Under some circumstances, Apertis chooses to disable functionality to avoid a
95 license issue. This approach is only valid if the functionality is not important,
96 which requires an evaluation. Once it has been decided that the functionality is
97 not a strong requirement a delta is introduced to disable it and drop dependen-
98 cies which use unfriendly licenses. This generally only introduces a minor delta
99 with respect to the package in Debian and is easy to maintain and port forward
100 with updates in Debian.
101 Package summary
102 The table below shows the packages which have a license related delta with
103 respect to Debian Bullseye. They are split into the following categories based
104 on the scenarios described above:
105 • DF0: Disable functionality
106 • DF1: Disable minor functionality
107 • OP: Outdated package
108 • AP0: Use alternative outdated package
109 • AP1: Use alternative package
4 Package Category Information base-files DF0 Remove license information for GPL-3 LGPL-3 and MPL-1.1 bind9 DF0 Disable libidn2 bluez AP0 Use of libreadline-gplv2-dev connman AP0 Use of libreadline-gplv2-dev coreutils-gplv2 OP Outdated GPL-3 free version cpio-gplv2 OP Outdated GPL-3 free version curl DF0 Disable libidn2 librtmp cyrus-sasl2 DF0 Disable saslfinger libdes and krb4 diffutils-gplv2 OP Outdated GPL-3 free version findutils-gplv2 OP Outdated GPL-3 free version flatpak DF0 Disable gpg glib-networking AP1 Use openssl instead of gnutls glibc AP1 Avoid bashisms gnupg2 XXX Need to be moved to development gpgme1.0 AP0 Use of gunpg, drop libassuan grep-gplv2 OP Outdated GPL-3 free version gstreamer1.0 DF1 Disable libdw gtk+3.0 DF1 Disable cups gvfs DF0 Disable trashlib gzip-gplv2 OP Outdated GPL-3 free version initramfs-tools AP0 Use coreutils-gplv2 libblockdev DF0 Disable parted libcanberra DF0 Disable tdb liboauth AP1 Use curl openssl instead of curl gnutls mesa DF0 Disable libefl mktemp XXX Empty package, implemented in coreutils openjpeg2 AP1 Use curl openssl instead of curl gnutls openldap AP1 Use curl openssl instead of curl gnutls ostree DF0 Disable libgpgme pam DF0 Replace pam-auth-update, disable NIS pipewire DF0 Disable libsdl2 pulseaudio DF0 Disable libtdb readline5 OP Outdated GPL-3 free version sed-gplv2 OP Outdated GPL-3 free version systemd DF0 Disable libdw, gnutls, libmicrohttpd tar-gplv2 OP Outdated GPL-3 free version totem-pl-parser DF1 Disable libquvi tumbler DF0 Use curl openssl instead of curl gnutls udisks2 DF0 Disable parted util-linux DF1 Disable parse_date v4l-utils DF1 Disable gettext webkit2gtk DF1 Disable libenchant-2 wpa AP1 Use internal line edit instead of readline
5 110 Required Action
111 We believe that the following actions are required to reduce the impact of these
112 deltas. We have proposed different strategies depending on the impact ofthe
113 delta, focusing on those which cause outdated packages to be shipped.
114 Other types of delta in general lead to reduced functionality which should be
115 addressed only if it is required by a specific use case.
116 For the remaining cases, the impact is only related to drop functionality, which
117 have little value for Apertis, in consequence we believe that the best approach
118 is to keep the delta.
119 The strategies relies in find the best possible alternative, taking into account 5 120 • License: The replacement should meet Apertis license expectations in
121 order to be consider as a valid one
122 • Debian support: The Debian support guarantees a community support on
123 the package and a easy adoption in Apertis
124 • Compatibility: The replacement should provide the functionality required
125 by Apertis on target images. Since the focus is on embedded devices, this
126 is usually a small subset of the functionality provided by a fully featured
127 tool, designed to be used by a user from a command line. For example,
128 several alternative command line tools may use different arguments to
129 provide functionality, for which existing users can be trivially altered or
130 lack certain options, but in many cases these options will have little or no
131 value when used in Apertis.
132 Delta causes outdated package to be shipped
133 This type of delta is the most problematic and requires immediate action as
134 these packages are currently not receiving security updates and thus present a
135 security risk.
136 Package readline5
137 Source: https://tiswww.case.edu/php/chet/readline/rltop.html
138 The readline5 package ships version 5.2 of GNU readline. It provides a set of
139 functions for use by applications that allow users to edit command lines as they
140 are typed in. This same functionality can be provided by: 6 141 • libedit : This is an autotool- and libtoolized port of the NetBSD Editline
142 library (libedit). This Berkeley-style licensed command line editor library
143 provides generic line editing, history, and tokenization functions, similar
144 to those found in GNU Readline. 5https://www.apertis.org/policies/license-expectations/ 6https://www.thrysoee.dk/editline/
6 145 – License: BSD-3-Clause
146 – Debian: Present
147 – Apertis: Present (target) 7 148 • replxx : A small, portable GNU readline replacement for Linux, Windows
149 and MacOS which is capable of handling UTF-8 characters. Unlike GNU
150 readline, which is GPL, this library uses a BSD license and can be used
151 in any kind of program.
152 – License: BSD-3-Clause
153 – Debian: Not present
154 – Apertis: Not present
155 Conclusion
156 Since libedit is a mature package, based on NetBSD Editline library and is
157 already present in Apertis, it is the primary candidate as a replacement. The
158 approach in this case is to add support for it as alternative for readline in the
159 packages which depend on it (bluez and connman).
160 Package tar-gplv2
161 Source: https://www.gnu.org/software/tar/
162 Package tar-gplv2 ships version 1.17 of GNU tar which provides the ability to
163 create and manipulate tar archives. There are the following alternatives with
164 the same functionality: 8 165 • libarchive : Multi-format archive and compression library, which includes
166 the libarchive library, the bsdtar and bsdcpio command-line programs,
167 full test suite, and documentation.
168 – License: BSD-2-clause
169 – Debian: Present
170 – Apertis: Present (target)
171 – GNU compatibility: Medium, basic set of features 9 172 • busybox tar : BusyBox combines tiny versions of many common UNIX
173 utilities into a single small executable, tar among them.
174 – License: GPLv2
175 – Debian: Present
176 – Apertis: Present
177 – GNU compatibility: Low, only minimum set of features 10 178 • tar-rs : Rust library to manage TAR archives.
7https://github.com/AmokHuginnsson/replxx 8https://www.libarchive.org/ 9https://busybox.net/ 10https://github.com/alexcrichton/tar-rs
7 179 – License: Apache
180 – Debian: Not present
181 – Apertis: Not present
182 Conclusion
183 The package libarchive is mature and already in Apertis. It provides bsdtar
184 which gives a good basement to build a replacement for tar. The approach in
185 this case is to test the use case of interest for target images, to install packages
186 with dpkg.
187 Initial tests replacing tar with bsdtar or busybox tar and installing a package
188 $ sudo apt reinstall libc6
189 Reading package lists... Done
190 Building dependency tree... Done
191 Reading state information... Done
192 The following packages were automatically installed and are no longer required:
193 libcolord2 libegl1-mesa libsys-cpuaffinity-perl libxdelta2 pbzip2 pixz xdelta xdelta3
194 Use 'sudo apt autoremove' to remove them.
195 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
196 Need to get 2,831 kB of archives.
197 After this operation, 0 B of additional disk space will be used.
198 Get:1 https://repositories.apertis.org/apertis v2022dev2/target amd64 libc6 amd64 2.31-
199 9apertis2bv2022dev2b1 [2,831 kB]
200 Fetched 2,831 kB in 3s (887 kB/s)
201 debconf: unable to initialize frontend: Dialog
202 debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76, <> line 1.)
203 debconf: falling back to frontend: Readline
204 Preconfiguring packages ...
205 -x -f - --warning=no-timestamp
206 -x -f -
207 bsdtar: Option --warning=no-timestamp is not supported
208 Usage:
209 List: bsdtar -tf
210 Extract: bsdtar -xf
211 Create: bsdtar -cf
212 Help: bsdtar --help
213 dpkg-deb: error: tar subprocess returned error exit status 1
214 dpkg: error processing archive /var/cache/apt/archives/libc6_2.31-
215 9apertis2bv2022dev2b1_amd64.deb (--unpack):
216 dpkg-deb --control subprocess returned error exit status 2
217 Errors were encountered while processing:
218 /var/cache/apt/archives/libc6_2.31-9apertis2bv2022dev2b1_amd64.deb
219 E: Sub-process /usr/bin/dpkg returned an error code (1)
220 After omitting the argument the process finish without issues.
221 As a result, with little effort the either bsdtar or busybox tar can be used as a
8 222 valid replacement of tar.
223 Package cpio-gplv2
224 Source: https://www.gnu.org/software/cpio/
225 Package cpio-gplv2 ships version 2.8 of GNU cpio which is used to copies files into
226 or out of a cpio or tar archive. The archive can be another file on the disk, a
227 magnetic tape, or a pipe. This same functionality can be provided by: 11 228 • libarchive : Multi-format archive and compression library, which includes
229 the libarchive library, the bsdtar and bsdcpio command-line programs, full
230 test suite, and documentation.
231 – License: BSD-2-clause
232 – Debian: Present
233 – Aperts: Present
234 – GNU compatibility: Medium, basic set of features 12 235 • busybox cpio : BusyBox combines tiny versions of many common UNIX
236 utilities into a single small executable, cpio among them.
237 – License: GPLv2
238 – Debian: Present
239 – Apertis: Present
240 – GNU compatibility: Low, only minimum set of feature 13 241 • cpio-rs : Rust library to manage CPIO archives.
242 – License: MIT License
243 – Debian: Not present
244 – Apertis: Not present
245 Conclusion
246 The package libarchive is mature and already packaged in Apertis. This pro-
247 vides bsdcpio as a good base to build a replacement for cpio. In this case we
248 need to test if it can successfully be used to build the initramfs used in Apertis.
249 Initial test, replacing cpio with bsdcpio and busybox cpio and running update-
250 initramfs, was successful with no errors.
251 Package diffutils-gplv2
252 Source: https://www.gnu.org/software/diffutils/
253 Package diffutils-gplv2 ships version 2.8.1 of GNU diffutils, a set of programs
254 to find differences between files. Similar functionality can be obtained by:
11https://www.libarchive.org/ 12https://busybox.net/ 13https://github.com/jcreekmore/cpio-rs
9 14 255 • busybox diff : BusyBox combines tiny versions of many common UNIX
256 utilities into a single small executable, diff among them.
257 – License: GPLv2
258 – Debian: Present
259 – Apertis: Present
260 – GNU compatibility: Low, only minimum set of feature 15 261 • ccdiff : Perl script to achieve same functionality than diff but improving
262 the visual output with colors.
263 – License: Artistic-2.0
264 – Debian: Present
265 – Apertis: Not present
266 – GNU compatibility: High
267 – Runtime dependencies:
268 ∗ libalgorithm-diff-xs-perl (not in Apertis - Artistic)
269 ∗ libalgorithm-diff-perl (development - Artistic)
270 ∗ libscalar-list-utils-perl (development - Artistic) 16 271 • colordiff : The Perl script colordiff is a wrapper for diff and produces
272 the same output but with pretty ‘syntax’ highlighting. Colour schemes
273 can be customized. 17 274 • rust-diff : A rust library to compute text diffs.
275 Conclusion
276 The most suitable replacement found is busybox diff, since it provides the basic
277 functionality required on target images. Initial tests shows that ccdiff has
278 same functionality, very similar arguments and similar output (adds colors) to
279 diff. However, since it is a perl script it requires additional dependencies to be
280 installed.
281 Additionally it was found that diff is used on package install by dpkg but the
282 process runs smoothly with busybox diff and also with ccdiff. The features
283 of cmp, diff3 and sdiff are not supported, however there is not much value in
284 target images.
285 Package findutils-gplv2
286 Source: https://www.gnu.org/software/findutils/
287 Package findutils-gplv2 ships version 4.2.31 of GNU findutils a set of basic
288 directory searching utilities. Alternatives to this package are:
14https://busybox.net/ 15https://metacpan.org/pod/App::ccdiff 16https://www.colordiff.org/ 17https://docs.rs/diff/0.1.12/diff/
10 18 289 • busybox find/xargs : BusyBox combines tiny versions of many common
290 UNIX utilities into a single small executable, find and xargs among them.
291 – License: GPLv2
292 – Debian: Present
293 – Apertis: Present
294 – GNU compatibility: Low, only minimum set of feature 19 295 • uutils-findutils : A rust implementation of findutils
296 – License: MIT License
297 – Debian: Not present
298 – Apertis: Not present
299 – GNU compatibility: High in mind, however it is in early stage of
300 development
301 Conclusion
302 Currently the best approach to have a replacement for the set of utilities pro-
303 vided by findutils is to use busybox find and busybox xargs. These are already
304 present in Apertis and their limited functionality is not impacting the existing
305 limited usage by the packages which depend on them.
306 The package uutils-findutils is being developed by the same community which
307 develops uutil-coreutils, which has been chosen by Apertis as a replacement 20 308 for coreutils as discussed in GPL-3-free replacements of coreutils .
309 • High GNU compatibility
310 • High community support
311 • High community impact
312 • Portability in mind
313 • Ongoing development
314 • Implemented in a modern memory safe language
315 However, it is in an early stage of development and thus we recommend to wait
316 for it to mature and then re-evaluate it as a replacement for find. Additionally
317 it is important to mention that it does not yet support xargs.
318 Unfortunately initial tests with busybox find show that additional functionality
319 is required by update-initramfs
320 find: unrecognized: -printf
321 find: unrecognized: -regextype
322 A similar issue is found with uutils-findutils find which triggers
323 find: unrecognized: -printf
324 These limitations needs to be addressed before switching to it.
18https://busybox.net/ 19https://github.com/uutils/findutils 20https://www.apertis.org/concepts/coreutils-replacement/
11 325 Package grep-gplv2
326 Source: https://www.gnu.org/software/grep/
327 Package grep-gplv2 ships version 2.5.1a of GNU grep, which searches one or more
328 input files for lines containing a match to a specified pattern. By default, grep
329 outputs the matching lines. 21 330 • busybox grep : BusyBox combines tiny versions of many common UNIX
331 utilities into a single small executable, grep among them.
332 – License: GPLv2
333 – Debian: Present
334 – Apertis: Present
335 – GNU compatibility: Low, only minimum set of feature 22 336 • ugrep : A grep alternative aim to be faster and with additional features.
337 – License: BSD-3-Clause License
338 – Debian: Present
339 – Apertis: Not present
340 – GNU compatibility: High
341 – Runtime dependencies:
342 ∗ libbz2-1.0 (target)
343 ∗ libc6 (target)
344 ∗ libgcc-s1 (target)
345 ∗ liblz4-1 (target)
346 ∗ liblzma5 (target)
347 ∗ libpcre2-8-0 (target)
348 ∗ libstdc++6 (target)
349 ∗ libzstd1 (target)
350 ∗ zlib1g (target)
351 Conclusion
352 The goal to provide the required features for target images can be accomplish
353 by using busybox grep without adding additional packages, making it the best
354 option. Initial tests booting an image and installing packages don’t show any
355 issues.
356 It is worth mentioning that in cases where higher compatibility with GNU is
357 required, the ugrep package is already in Debian and all its dependencies are
358 already in target, making it a viable alternative.
359 Package gzip-gplv2
360 Source: https://www.gnu.org/software/gzip/
21https://busybox.net/ 22https://github.com/Genivia/ugrep
12 23 361 • busybox gzip : BusyBox combines tiny versions of many common UNIX
362 utilities into a single small executable, gzip among them.
363 – License: GPLv2
364 – Debian: Present
365 – Apertis: Present
366 – GNU compatibility: Low, only minimum set of feature 24 367 • flate2-rs : Rust library to manage ZIP archives.
368 – License: Apache
369 – Debian: Not present
370 – Apertis: Not present
371 Conclusion
372 In order to replace gzip the best alternative is to used busybox gzip, which even
373 with the its limitations it is enough for the requirements in target images
374 Package sed-gplv2
375 Source: https://www.gnu.org/software/sed/
376 Package sed-gplv2 ships version 4.1.2 of GNU sed a non-interactive command-line
377 text editor. 25 378 • busybox sed : BusyBox combines tiny versions of many common UNIX
379 utilities into a single small executable, sed among them.
380 – License: GPLv2
381 – Debian: Present
382 – Apertis: Present
383 – GNU compatibility: Medium, only minimum set of feature, but there
384 are not much difference
385 Conclusion
386 In order to provide a replacement for sed-gplv2 the use of busybox sed is recom-
387 mended since no other package depends on and the basic functionality provided
388 by busybox sed covers most common use cases.
389 Initial tests
390 Besides of the partial tests done when analyzing each package, as part of the
391 initial test the following actions have been done
392 • Boot target image with tools replaced
393 • Reinstall all the packages in target image
23https://busybox.net/ 24https://github.com/rust-lang/flate2-rs 25https://busybox.net/
13 394 These rest were passed successfully which shows that the suggested approach
395 is viable. Despite this promising results further testing should be conducted to
396 assure a smooth transition.
397 General conclusions
398 For most of the packages there is a valid replacement in Debian Bullseye which
399 should require little effort. However there are two that will require a develop-
400 ment effort
401 • readline5
402 • findutils-gplv2
14